It was 9.57am on Tuesday, August 15. “Person A”, as she later became known in court documents, was panicking.

She had become aware of a massive data breach involving tens of thousands of Afghans. What the government did next – and how quickly – was a matter of life and death.

The breach concerned the names of those who had applied for the government’s relocation scheme, plus their family members, phone numbers and, in some cases, addresses. Emails of British government officials were also enclosed.

“The fact that the Taliban may be in possession of 33,000 ARAP (Afghan Relocations and Assistance Policy) applications, including the primary applicants’ phone numbers and all the case evidence, is simply bone-chilling,” she wrote in an email to James Heappey, the armed forces minister at the time and a former army officer.

What had alarmed her was a message she had been sent on WhatsApp from an Afghan doctor.

His father had been a colonel in the Afghan National Army (ANA) and they were stuck in Pakistan. The doctor, known as “007” because of his ability to find out information, had been waiting in a hotel for six months after being accepted for sanctuary in the UK along with his family.

He sent her a screengrab from Facebook. “Is this right?” he asked. An anonymous member of a Facebook group whose members were seeking sanctuary in the UK had posted to say he had a database containing 33,000 records of applicants, adding: “I want to disclose it.”

There were some 1,300 members of the group. Any one of them could have been an infiltrator from the Taliban.

Then came another panicked message from the doctor to Person A. “He has the database, for real,” he said.

To prove he had it, the anonymous Facebook user posted personal details of nine Afghans who had applied for the Arap scheme on the group. He included the details for the doctor’s father. After being challenged by another member of the group, known only as “Person B”, the anonymous individual sent a private message to that person setting out personal information relating to Person B.

Person B reported the message to British government staff in Pakistan.

It took several hours for the Ministry of Defence (MoD) to understand the magnitude of what it was facing.

At 8.09pm, after most of the top brass had left for the day, a crisis alert came in. It was official: someone had obtained access to sensitive MoD computer files.

The Foreign Office and the intelligence agencies, including MI6, were brought up to speed. The CIA was also informed. Was there a mole? Had an enemy state hacked into the system?

Over the coming days, the MoD, with the help of GCHQ, Britain’s eavesdropping agency, was able to identify the “anonymous user” and trace back the leak to more than 18 months earlier.

In February 2022, a regular soldier working out of Regent’s Park Barracks – UK special forces headquarters – under Gwyn Jenkins, the director of special forces who was then a major general, made a catastrophic error.

Jenkins had served in Afghanistan years earlier and had already helped some of the Afghan soldiers with whom he served to get out of the country.

The soldier had been tasked with trying to authenticate Arap applications from former members of the Afghan special forces and others. By attempting to do so, he had inadvertently sent the entire database to a handful of Afghans already brought to the UK who were helping him. They then passed it on to fellow Afghans in Afghanistan who might be able to help.

The dataset was sent twice, in two separate incidents, in the same month.

Officially, the incident went unreported. It remained a secret until August 2023, when one of the Afghans who was sent it apparently had his own application for sanctuary rejected.

That was when he threatened to “disclose” the list, in a message posted on the Facebook site for Afghans seeking sanctuary in the UK. He became known as the “anonymous user” in court documents. It took four days for Facebook to delete the names from the site, after a request by the government who warned that there was a threat.

If the Taliban got their hands on it, there were fears they could start working their way through the list, hunting down and killing anyone they considered a traitor.

Person A had spent several years working as a volunteer to help vulnerable Afghans at risk from the Taliban because of their affiliation with UK forces applying for a visa to Britain.

She was horrified by the breach. “We didn’t know how exposed they were,” she told The Times. She sent an urgent message to five of her Afghan contacts, whom she nicknamed “the pivots” because they were able to spread the word to other Afghans who may have been on the list.

She said their whereabouts may have been compromised. “I told them to change their numbers. If they could move, I told them to move,” she said. Some families were put into safe houses in Afghanistan as a result. Back in the UK, a decision was made to alert those Afghans who were in Pakistan and were already due to come to Britain.

At about 2pm on August 14, the relocations team in Islamabad sent a notification to some 1,800 people waiting in Pakistan. Not all of them were eligible to come to the UK. “We have been informed there may have been a potential data breach of your contact information,” it said.

Afghans contacted David Williams, a campaigning journalist, who told the MoD he planned to write about the breach. He was urged by the government to hold off. A few days later The Times, which had exposed the poor treatment of the Afghans over several years, became aware of the incident.

As the extent of the breach became known, a decision was made by the government not to inform any of the individuals waiting in Afghanistan or elsewhere, because officials argued this would increase the risk of the Taliban finding out about the dataset and subsequently getting hold of it.

A task force was charged with working out how to reach the most vulnerable Afghans on the list before Taliban hit squads got to them first. Spies sought to delete any trace of the list from servers overseas.

Ben Wallace, the defence secretary who was due to hand over to Grant Shapps in the subsequent days, was furious. He had warned the department previously to ensure there were checks in place before emails were sent containing sensitive information. He had issued the orders after a previous data leak involving hundreds of Afghans.

A meeting of Cobra, the emergency response committee, was held in Whitehall. A “rag-tag” group of junior ministers and officials from several government departments attended because so many people were on holiday. Jenkins was the senior military representative from the MoD.

Those present were told the department was keeping an eye on any unexpected murders in the country – anything to suggest the Taliban had got hold of the list.

One of the ministers asked Jenkins if either he or Admiral Sir Tony Radakin, the chief of the defence staff, would resign over the issue. Jenkins is understood to have responded “certainly not”, and apparently sought to downplay the issue.

Others in the room from the Foreign Office pointed out that it did not matter whether those on the list were eligible or not under Arap: just being named left them exposed.

“The MoD kept saying it won’t be an issue,” said one government insider who was present. “The tone from the MoD was that people on the list would never have qualified, so who gives a shit. That is what it felt like for the rest of us.”

On Friday August 25, 2023, Wallace applied for an injunction to stop the data leak becoming public. The judge went a step further and on September 1, when Grant Shapps took over the role of defence secretary, granted a superinjunction to prevent any outside knowledge that the injunction existed. Once it was granted, the government argued for it to remain in place. So began Operation Rubific, the top-secret mission to keep the list out of the hands of the Taliban and bring those deemed to be most at risk to the UK, without them knowing why. Tens of thousands of Afghans would be left behind, even though their lives were in danger.

Months of court proceedings followed as the media fought to make the incident public and have the superinjunction lifted.

Although the Metropolitan Police was informed of the incident when it first became known to the MoD in August 2023, it was decided a criminal investigation was not necessary.

In the same month, an Afghan father of three who had been rejected for sanctuary when his colleagues were accepted, referred in an email to a “massive data breach and leak of 33,000 Arap cases”. Its significance was not realised at the time.

“We are miraculously still alive due to our wit and pure luck, but it is like we are evolving in an open tomb,” the email to the MoD’s Defence Afghanistan Relocation and Resettlement (Darr) mailbox read. “We are forced to always change places, and I never thought we’d one day face starvation but it happens. We especially never expected to have to deal with these shocking … issues on top of the gut-wrenching raw survival problems here.”

Instead of launching a police investigation, at least one of the Afghans who received the list is understood to have been flown to the UK to silence them.

It is understood that he was allowed sanctuary in the UK, along with seven members of his family, on the condition the list would go no further. One UK government source described it as a “good deal”.

As they touched down in England, he was allegedly greeted by some “men with laptops”. He was told to sign into his email using his password and then hand the laptop back. Any trace of the leaked list on the laptop was deleted.

At least one other Afghan was understood to have a copy of the list in Pakistan. What exactly happened next remains unclear, but later on it would become apparent that at least one British law firm would get its hands on the list.

“Break glass” was the term given to the moment when news of the leak became public, something ministers, officials and military personnel spent months preparing for. Those who knew about it were threatened with jail if they breached the court order and news got out. The MoD and its military spies believed throughout that the Taliban had likely not got hold of the list, nor did it know of its existence.

Yet Mr Justice Chamberlain, the judge presiding over the legal case in the Royal Courts of Justice, would later point out there was a “significant possibility” the Taliban knew of the existence of the dataset given the Facebook post.

The judge’s concern was shared by Person A, who told The Times she believed the Taliban had what amounted to a “kill list” since August 2023, given the number of Afghans who had served with the Afghan National Security Forces, comprising military and internal security forces, who had been murdered since.

“Lives could have been saved if everyone had been told about the leak back in August 2023,” she said. “It would have enabled them to flee into Iran or Pakistan, which would have bought them some time. These families trusted the MoD and sat waiting for evacuation.”

On September 2, 2023, Person A wrote to the Ministry of Defence to say she believed that “with more and more evidence emerging that the Taliban have gained access to the Arap data leak, and the information they have garnered via turncoats and torture, we have grave concerns that these families may not survive to be evacuated”.

She compiled a list of hundreds of former members of the security forces that had been discovered by the Taliban and killed. On the leaked list were members of the so-called Triples, elite Afghan units trained and funded by the UK.

Those still alive, she said, were living like they were in a “Jason Bourne film” – constantly forced to move locations and mix up their daily patterns. Some of them, she said, were so frightened they were living in caves.

“Suddenly they are on this hit list and they are having to move every few days,” she said. Her claims could not be verified. In February this year, the MoD admitted there was a “realistic possibility” the Taliban had the dataset, although it said the “balance of evidence is that they do not”.

The MoD has now triggered an operation, years in the planning, to notify the individuals who were on the list that they need to be careful because their data has been compromised. Only now can they take their fate into their own hands.

The Times

More Coverage

The final reckoning in Afghanistan

Rodger Shanahan

More related stories

The Times

Troubled pop singer found late-life fame on TikTok

American singer Connie Francis, who has died aged 87, represented an era of teenage innocence with a dozen Australian hits including Who’s Sorry Now?

Read more

The Times

Who are the Druze and why is Israel attacking Syria?

Many among the religious group, a minority in both countries, oppose coming under the rule of Damascus – and view Israel as their protector.

Read more